Home Decisions

Decision 002/2017

Decision 002/2017: Mrs Carolyn Neilson and Greater Glasgow and Clyde Health Board

Grievance information

Reference No: 201601076
Decision Date: 6 January 2017

Summary

On 7 September 2015, Greater Glasgow and Clyde Health Board (NHS Greater Glasgow and Clyde) were asked for information about a staff grievance. NHS Greater Glasgow and Clyde disclosed some information and withheld some personal data.

The Commissioner found that NHS Greater Glasgow and Clyde had initially failed to identify all of the information falling within the scope of the request. It wrongly withheld some information which it initially considered to be personal data, but which was later disclosed. It also failed to comply with timescales for responding to the request and request for review. However, NHS Greater Glasgow and Clyde was entitled to withhold personal data.

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1) and (4) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 10(1) (Time for compliance); 21(1), (4), (5) and (10) (Review by Scottish public authority); 38(1)(a) and(b), (2)(a)(i) and (b) and (5) (definitions of "data protection principles", "data subject" and "personal data") (Personal information)

Data Protection Act 1998 (the DPA) section 1(1) (Basic interpretative provisions) (definition of "personal data"); 2(e) (Sensitive personal data); Schedule 1 (The data protection principles, Part I: the principles) (the first data protection principle); Schedule 2 (Conditions relevant for purposes of the first principle: processing of any personal data) (conditions 1 and 6); Schedule 3 (Conditions relevant for purposes of the first principle: processing of sensitive personal data) (conditions 1 and 5)

The full text of each of the statutory provisions cited above is reproduced in Appendix 1 to this decision. The Appendix forms part of this decision.

Background

1. On 7 September 2015, Mrs Neilson made a request for information to NHS Greater Glasgow and Clyde. She asked for all information held by NHS Greater Glasgow and Clyde, or any person on its behalf, in connection with a specific grievance raised by a named staff member. Mrs Neilson confirmed that the information should include, but not be limited to:

(a) correspondence between the ECMS Directorate management team and their Head of HR relating to the management of the procedural aspects of this grievance after receipt

(b) information confirming who made and approved the decision that the Commissioner of the SCI investigation should chair the grievance panel

(c) information confirming the identity of all individuals within the ECMS management team who were involved in investigating the incident both before and after it was given SCI status

2. On 14 October 2015, NHS Greater Glasgow and Clyde wrote to Mrs Neilson and apologised for the delay in responding to her request. It again wrote to Mrs Neilson on 23 October 2015 and provided some information with an explanation that some information had been redacted because it was personal data. It explained that this was a holding response and that a full response to her request would follow.

3. On 27 October 2015, Mrs Neilson again wrote to NHS Greater Glasgow and Clyde and provided details of two emails and two letters which she believed it should hold and which fell within the scope of her request.

4. On 10 November 2015, Mrs Neilson wrote to NHS Greater Glasgow and Clyde requesting a review on the basis that it had failed to provide a response to her request.

5. NHS Greater Glasgow and Clyde responded to Mrs Neilson's request on 11 December 2015. It provided her with a set of emails (which included the emails she had referred to in her email of 27 October 2015, as above) explaining that personal data had been redacted. It also explained that, in addition to the redacted information, it was also withholding three letters, a statement of case and a list of witness questions. It considered that disclosure would breach the first data protection principle, and the information was therefore exempt from disclosure under section 38(1)(b) of FOISA in conjunction with 38(2)(a)(i).

6. NHS Greater Glasgow and Clyde also referred Mrs Neilson to information that had been provided in response to her earlier requests, explaining that it would not be provided again. It advised Mrs Neilson that she had the right to request a review if she was dissatisfied with the response. (This response is considered later in the decision, in terms of its compliance with section 21 of FOISA.)

7. On 16 December 2015, NHS Greater Glasgow and Clyde provided a separate response to Mrs Neilson's requirement for review (10 November 2015) as it pertained to its failure to respond to her request. NHS Greater Glasgow and Clyde apologised for its failure to respond within the statutory time of 20 working days. It stated that it should have explained that its response of 23 October 2015 was a holding response, and acknowledged that it should also have explained why the redacted information was considered exempt from disclosure under FOISA.

8. On 7 June 2016, Mrs Neilson applied to the Commissioner for a decision in terms of section 47(1) of FOISA. In summary, she was dissatisfied that NHS Greater Glasgow and Clyde had failed to comply with the timescales and provisions set down in sections 10 and 21 of FOISA; she believed that it should hold further information (including the authority's grievance policy); and she questioned whether it was entitled to withhold information under section 38(1)(b) of FOISA. In particular, Mrs Neilson questioned whether the year an email had been sent or received was personal data

Investigation

9. The application was accepted as valid. The Commissioner confirmed that Mrs Neilson made a request for information to a Scottish public authority and asked the authority to review its response to that request before applying to her for a decision.

10. On 7 July 2016, NHS Greater Glasgow and Clyde was notified in writing that Mrs Neilson had made a valid application. It was asked to send the Commissioner the information withheld from Mrs Neilson. NHS Greater Glasgow and Clyde provided the information and the case was allocated to an investigating officer.

11. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application. NHS Greater Glasgow and Clyde was invited to comment on Mrs Neilson's application, and to answer specific questions in relation to its handling of her request, and the application of any exemptions within FOISA that it wished to apply. Further correspondence between NHS Greater Glasgow and Clyde and the investigating officer followed.

12. NHS Greater Glasgow and Clyde accepted that, in responding to Mrs Neilson's request and requirement for review, it had failed to comply with section 10 and 21 of FOISA and apologised for these failures.

13. NHS Greater Glasgow and Clyde described the searches it had conducted to ascertain what information it held falling within the scope of Mrs Neilson's request: these are considered in detail below.

14. NHS Greater Glasgow and Clyde initially submitted that information showing the year that emails had been created was personal data and exempt from disclosure in terms of section 38(1)(b) of FOISA. However, following further correspondence with the Commissioner's office, it provided Mrs Neilson with the dates previously withheld.

15. Mrs Neilson made submissions as to why she believed that NHS Greater Glasgow and Clyde held more information. She also explained why she had a legitimate interest in the disclosure of the information. She intimated that she was not seeking the disclosure of information to and from a named individual: therefore, the Commissioner will not consider that information any further in this decision.

16. Mrs Neilson accepted that any data pertaining to herself could properly be withheld under section 38(1)(a) of FOISA. However, she complained that NHS Greater Glasgow and Clyde had failed to comply with FOISA by failing to inform her that her own personal data was being withheld under this exemption, and by failing to advise her of her rights to access it under the DPA.

Commissioner's analysis and findings

17. In coming to a decision on this matter, the Commissioner considered all of the withheld information and the relevant submissions, or parts of submissions, made to her by both Mrs Neilson and NHS Greater Glasgow and Clyde. She is satisfied that no matter of relevance has been overlooked.

Was all relevant information identified, located and provided?

18. Section 1(1) of FOISA provides that a person who requests information from a Scottish public authority which holds it is entitled to be given that information by the authority, subject to certain qualifications which, by virtue of section 1(6) of FOISA, allow Scottish public authorities to withhold information or charge a fee for it.

19. The information to be given is that held by the authority at the time the request is received, as defined in section 1(4). This is not necessarily to be equated with information the authority should hold. If no such information is held by the authority, section 17(1) of FOISA requires it to give the applicant notice in writing to that effect.

20. NHS Greater Glasgow and Clyde described the searches it had conducted to ascertain what information it held falling within the scope of Mrs Neilson's request. It provided explanation as to the staff consulted, which included those Mrs Neilson believed should be consulted, and the responses to those consultations.

21. NHS Greater Glasgow and Clyde submitted that, during these searches, it had located the two letters to which Mrs Neilson had referred to within her email of 25 October 2015. It apologised for not identifying this information at the time it dealt with Mrs Neilson's request.

22. NHS Greater Glasgow and Clyde also accepted that it should have identified its grievance policy as falling within the scope of Mrs Neilson's request, and should have told her that it was available on its website.

23. The Commissioner finds that, in responding to Mrs Neilson's request, NHS Greater Glasgow and Clyde failed to identify and locate all of the information it held and which fell within the scope of her request. This was clearly a failure to comply with section 1(1) of FOISA.

24. The Commissioner accepts NHS Greater Glasgow and Clyde's interpretation of the request under consideration here and, having considered all relevant submissions and the terms of the request, the Commissioner accepts that, by the close of the investigation, NHS Greater Glasgow and Clyde had identified and located all of the information it held and which fell within the scope of Mrs Neilson's request.

Section 38(1)(a) - Personal data of the applicant

25. In its submissions to the Commissioner, NHS Greater Glasgow and Clyde submitted that some of the withheld personal data related to Mrs Neilson herself and as such was exempt from disclosure in terms of section 38(1)(a) of FOISA. It apologised for not explaining this to Mrs Neilson at the time it dealt with her request.

26. Where information is the personal data of the applicant, that information is exempt from disclosure under section 38(1)(a) of FOISA. The exemption exists because individuals have a separate right to make a request for their own personal data (commonly known as a "subject access request") under section 7 of the DPA. The DPA will therefore usually determine whether a person has a right to their own personal data, and govern the exercise of that right. Section 38(1)(a) of FOISA does not deny individuals a right to access to information about themselves, but ensures that the right is exercised under the DPA and not under FOISA.

27. In considering this exemption, the Commissioner will first consider whether the information in question is personal data of Mrs Neilson as defined in section 1(1) of the DPA. If it is, then that information is exempt from disclosure under FOISA.

28. "Personal data" are defined in section 1(1) of the DPA as "data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller" (the full definition is set out in Appendix 1).

29. NHS Greater Glasgow and Clyde redacted Mrs Neilson's name from the information disclosed and submitted that this information was her own personal data.

30. The Commissioner has considered the information withheld under section 38(1)(a) carefully. She is satisfied that any information which identifies Mrs Neilson relates to her. She accepts that Mrs Neilson's name is information from which she can be identified, and is her personal data. Consequently, she finds that NHS Greater Glasgow and Clyde was entitled to withhold this information under section 38(1)(a) of FOISA.

31. The exemption in section 38(1)(a) is an absolute exemption: it is not subject to the public interest test contained in section 2(1)(b) of FOISA.

32. The Commissioner finds that NHS Greater Glasgow and Clyde failed to notify Mrs Neilson that it was relying upon section 38(1)(a) of FOISA to withhold her own personal information. By failing to do so, NHS Greater Glasgow and Clyde failed to comply with Part 1 of FOISA.

33. NHS Greater Glasgow and Clyde also failed to advise Mrs Neilson of her rights under the DPA. Although this is not required in terms of compliance with FOISA, it would have been good practice to do so.

Section 38(1)(b) - Personal data of a third party

34. Section 38(1)(b) of FOISA, read in conjunction with section 38(2)(a)(i) or (2)(b) (as appropriate), exempts personal data if its disclosure to a member of the public, otherwise than under FOISA, would contravene any of the data protection principles. It is an absolute exemption, not subject to the public interest test contained in section 2(1)(b) of FOISA.

35. NHS Greater Glasgow and Clyde submitted that, other than Mrs Neilson's personal data, the only information that it wished to withhold was information that would lead to the identification of the staff member who had raised the grievance, and information regarding the absence of other staff members. It submitted that this information was personal data and was exempt from disclosure in terms of section 38(1)((b) of FOISA, on the basis that disclosure would contravene the first data protection principle.

36. NHS Greater Glasgow and Clyde submitted that the withheld information related to either the staff member who had raised the grievance, or to the sickness absence of other staff members, and was the personal data of these individuals.

37. The Commissioner is satisfied that a living individual could be identified from the information withheld by NHS Greater Glasgow and Clyde, either by itself or with other information reasonably likely to be accessible to Mrs Neilson (and others). Given the nature of the information, the Commissioner finds that it relates to the living individuals concerned. Consequently, the Commissioner accepts that the information is those individuals' personal data, as defined by section 1(1) of the DPA.

38. The Commissioner also notes that Mrs Neilson is in a unique position in that she is already aware of some of the information that has been withheld. Mrs Neilson confirmed during the investigation that she has access to all of the withheld information apart from a list of witness questions.

Sensitive personal data

39. NHS Greater Glasgow and Clyde submitted that some of the withheld information related to sickness absence of identifiable staff members and as such was sensitive personal data, as defined by the DPA.

40. Section 2 of the DPA provides that certain types of personal data are to be considered as sensitive personal data, which is afforded additional protection under the DPA. This includes information about the physical or mental health or condition of an individual (section 2(e) of the DPA).

41. Mrs Neilson has queried whether the information should be regarded as sensitive personal data, if it does not reveal medical details. The Commissioner is satisfied that the information under consideration here clearly falls within the definition of sensitive personal data in the DPA. It is information about the physical or mental health or condition of an individual at a particular time.

The first data protection principle

42. The first data protection principle states that personal data shall be processed fairly and lawfully. The processing in this case would be disclosure of the information into the public domain in response to Mrs Neilson's request. The first data protection principle also states that personal data shall not be processed unless at least one of the conditions in Schedule 2 to the DPA is met. In the case of sensitive personal data, at least one of the conditions in schedule 3 to the DPA must also be met.

Can any of the conditions in Schedule 3 to the DPA be met?

43. As mentioned above, the Commission considers that some of the withheld information is sensitive personal data, and, as such, a condition in schedule 3 of the DPA must be met to allow disclosure into the public domain.

44. The Commissioner's guidance[1] on the section 38 exemption concludes that (in practical terms) there are only two conditions in Schedule 3 which would allow sensitive personal data to be processed in the context of a request for information under FOISA, namely:

· Condition 1 - the data subject has given explicit consent to the release of the information or

· Condition 5 - the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

45. In relation to the withheld information, the Commissioner accepts that the data subjects have not given explicit consent to disclosure of the information and, in the circumstances, she would not expect NHS Greater Glasgow and Clyde to attempt to obtain such consent. Consequently, she is satisfied that condition 1 in Schedule 3 cannot be met.

46. Similarly, from the information available to her, the Commissioner is unable to conclude that condition 5 in Schedule 3 can be met in this case.

47. Having also considered the other conditions in Schedule 3, the Commissioner has come to the conclusion that there is no condition which would permit disclosure of the sensitive personal data under consideration. In the absence of such a condition, disclosure would be unlawful. Consequently, the Commissioner finds that disclosure of any information relating to the sickness absence of identifiable members of staff would breach the first data protection principle, and that the information is therefore exempt from disclosure (and properly withheld) under section 38(1)(b) of FOISA.

Can any of the conditions in Schedule 2 to the DPA be met?

48. The Commissioner will now consider whether there are any conditions in Schedule 2 which would permit the remaining withheld (non-sensitive) personal data to be disclosed. If any of the conditions in Schedule 2 can be met, she must then consider whether disclosure of the personal data would be fair and lawful.

49. When considering the conditions in Schedule 2, the Commissioner has noted Lord Hope's comment in the case of Common Services Agency v Scottish Information Commissioner [2008] UKHL 47[2], that the conditions require careful treatment in the context of a request for information under FOISA, given that they were not designed to facilitate the release of information, but rather to protect personal data from being processed in a way that might prejudice the rights, freedoms or legitimate interests of the data subject (i.e. the person or persons to whom the data relate).

50. There are three separate aspects to the first data protection principle: (i) fairness, (ii) lawfulness and (iii) the conditions in the schedules. These three aspects are interlinked. For example, if there is a specific condition in Schedule 2 which permits the personal data to be disclosed, it is likely that the disclosure will also be fair and lawful.

51. In her application to the Commissioner, Mrs Neilson questioned whether NHS Greater Glasgow and Clyde could have asked the individual who had submitted the grievance whether their personal data could be disclosed: this would meet condition 1 of Schedule 2 of the DPA.

52. The Commissioner is aware that Mrs Neilson has access to information held by the individual who submitted the grievance. She also notes that NHS Greater Glasgow and Clyde informed Mrs Neilson that the individual concerned could make a subject access request under the DPA for their own personal data (i.e. the information withheld from Mrs Neilson under section 38(1)(b) of FOISA). However, Mrs Neilson confirmed that she was the one who was seeking the information under FOISA, and not the individual in question.

53. Mrs Neilson also commented that NHS Greater Glasgow and Clyde did not make any attempt to contact the data subject to seek permission to disclose the information under FOISA. She considered that this failure made its response in terms of section 38(1)(b) of FOISA premature.

54. Taking account of all of the circumstances, including Mrs Neilson's existing access to information, the Commissioner is satisfied that there was no requirement on NHS Greater Glasgow and Clyde to seek permission from the data subject for disclosure of the information under FOISA. She finds that condition 1 of Schedule 2 is not met.

55. Condition 6 allows personal data to be processed if the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject (the individual to whom the data relate).

56. There are, therefore, a number of different tests which must be satisfied before condition 6 can be met. These are:

· Does Mrs Neilson have a legitimate interest in obtaining the personal data?

· If so, is the disclosure necessary to achieve those legitimate interests? In other words, is disclosure proportionate as a means and fairly balanced as to ends, or could these legitimate interests be achieved by means which interfere less with the privacy of the data subject?

· Even if disclosure is necessary for those purposes, would it nevertheless be unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject? As noted by Lord Hope in the above judgment, there is no presumption in favour of disclosure of personal data under the general obligation laid down in FOISA. The legitimate interests of Mrs Neilson must outweigh the rights and freedoms or legitimate interests of the data subject before condition 6 will permit the personal data to be disclosed.

57. NHS Greater Glasgow and Clyde submitted that it has a duty it has a duty of confidentiality and disclosure would be unfair and/or unlawful. It stated that any employee has the right to raise a grievance in relation to their employment, but would not expect that such information would be made public.

Does Mrs Neilson have a legitimate interest or interests?

58. NHS Greater Glasgow and Clyde agreed that, as a member of the public, Mrs Neilson has a legitimate interest in information which would increase transparency in relation to the management process or handling of a grievance. However, it did not consider that disclosing the personal information in this case would increase Mrs Neilson's understanding of the case, or provide additional transparency.

59. NHS Greater Glasgow and Clyde submitted that, apart from Mrs Neilson's interest in transparency regarding how it dealt with the grievance, it did not consider that she had sufficiently set out what she believed to be her legitimate interests in relation to the withheld information.

60. NHS Greater Glasgow and Clyde submitted that Mrs Neilson already has a detailed knowledge of the case, such as her knowledge of the nature and dates of correspondence. She knows who raised the grievance and was in fact present during the grievance hearing, both as a witness and as an observer/scribe during the proceedings. On that basis, she knows the subject of the email correspondence, and is likely to know the details that have been redacted. NHS Greater Glasgow and Clyde considers that there is therefore little to be gained from the disclosure of this information into the public domain as it would not enhance Mrs Neilson's understanding of the case.

61. Mrs Neilson provided a number of submissions as to her legitimate interest in disclosure of the personal data.

62. Mrs Neilson agreed that her situation is unique, in that she is already aware of the identity of the data subject, whose details have been withheld. She confirmed that she asked for the information so she could scrutinise the management of the grievance, noting that NHS Greater Glasgow and Clyde has a Grievance Policy and Procedure. She explained why she believed it had not followed its policy and outlined her concerns about the way the grievance had been dealt with.

63. Mrs Neilson stated that it must be of value to other members of the public too, to be able to scrutinise how an authority manages staff who raise professional concerns about matters that impinge on patient and public safety. Without such scrutiny she believed these matters could easily pass by concealed and unnoticed, concerns would be forgotten and mistakes and wrongdoing are likely to be repeated.

64. Having considered all relevant submissions she has received on this point, along with the withheld personal data, the Commissioner accepts that Mrs Neilson, as an individual, has a legitimate interest in fully understanding whether NHS Greater Glasgow and Clyde followed its own policy in relation to the grievance in question. In this regard, the Commissioner notes that NHS Greater Glasgow and Clyde has already provided some information to Mrs Neilson, and that Mrs Neilson has confirmed she has had sight of, or access to, some information. The Commissioner considers that this goes some way in satisfying any legitimate interest Mrs Neilson might have in disclosure of the personal data.

65. The Commissioner does not accept that Mrs Neilson's legitimate interest in the personal data (in allowing scrutiny of whether NHS Greater Glasgow and Clyde followed its own grievance policy) would require disclosure of the personal data into the public domain, which is the consequence of disclosure under FOISA. The Commissioner does not accept that the specific information withheld from Mrs Neilson is relevant in relation to the legitimate interest which Mrs Neilson has identified.

66. Given this conclusion, the Commissioner finds that there is no condition in Schedule 2 which would permit disclosure of the personal data under consideration. In the absence of a condition permitting disclosure, that disclosure would be unlawful. Consequently, the Commissioner finds that disclosure would breach the first data protection principle and that the information is therefore exempt from disclosure (and properly withheld) under section 38(1)(b) of FOISA.

67. As mentioned above, NHS Greater Glasgow and Clyde provided Mrs Neilson with information pertaining to the year that emails had been created, having previously withheld that information under section 38(1)(b) of FOISA. In the absence of any submissions justifying the withholding of that information at the time NHS Greater Glasgow and Clyde dealt with Mrs Neilson's request, the Commissioner finds that it was not entitled to rely upon section 38(1)(b) of FOISA to withhold the information which was subsequently disclosed.

Handling of the requests - timescales and content of notices

68. Mrs Neilson has expressed dissatisfaction with NHS Greater Glasgow and Clyde's failure to comply with the timescale required by FOISA in responding to her request for information.

69. Section 10(1) of FOISA gives Scottish public authorities a maximum of 20 working days after receipt of the request to comply with a request for information, subject to certain exceptions which are not relevant in this case.

70. Section 21(1) of FOISA gives authorities a maximum of 20 working days after receipt of the requirement to comply with a requirement for review, subject to exceptions which are not relevant in this case.

71. As NHS Greater Glasgow and Clyde has acknowledged, it failed to respond to Mrs Neilson's request and requirement for review within these timescales, so the Commissioner must find that in these respects it failed to comply with sections 10(1) and 21(1) of FOISA.

72. Mrs Neilson also questioned whether NHS Greater Glasgow and Clyde had complied with section 21(4) of FOISA in responding to her requirement for review, and whether it had provided her with information about her rights of review and appeal (section 21(10)).

73. It appears to the Commissioner that there was some confusion within NHS Greater Glasgow and Clyde about the handling of Mrs Neilson's requirement for review. Having received her review request on 10 November 2015, any response thereafter by NHS Greater Glasgow and Clyde should have been treated as a response to her requirement for review. As noted, on 11 December 2015, NHS Greater Glasgow and Clyde sent Mrs Neilson a letter which responded to her request and told her that she had the right to request a review if she was dissatisfied with the response. This was incorrect: given that this letter should have been considered as a response to her requirement for review, and should have provided her with a decision, where no decision had been reached (section 21(4)(c) of FOISA), Mrs Neilson should have been advised of her rights of application to the Commissioner and of appeal (section 21(10)). She was not required to make a second request for review to NHS Greater Glasgow and Clyde.

74. The Commissioner notes that Mrs Neilson received (in effect) two responses to her requirement for review, dated 1 and 16 December 2016. Taken together, she is satisfied that these met the relevant requirements of section 21 of FOISA. However, given that both of these letters can only be interpreted as responding to the same requirement for review, it would have been helpful if their content could have been combined in a single communication.

75. The Commissioner notes NHS Greater Glasgow and Clyde has apologised about the time it took to deal with Mrs Neilson's requests and has submitted that this was due to the volume and complexity of the correspondence, and staff shortage. The Commissioner acknowledges this, but must also emphasise that public authorities are obliged to comply with the timescales for compliance set down in FOISA. She is pleased to note that NHS Greater Glasgow and Clyde appears to have taken on board the lessons learned during this investigation.

Decision

The Commissioner finds that NHS Greater Glasgow and Clyde partially complied with Part 1 of the Freedom of Information (Scotland) Act 2002 in responding to the information request made by Mrs Neilson. In particular she found that NHS Greater Glasgow and Clyde:

· failed to identify and locate all of the information that it held falling within the scope of Mrs Neilson's request

· failed to inform Mrs Neilson that it was relying upon section 38(1)(a) of FOISA to withhold her own personal data

· wrongly withheld some information under section 38(1)(b) of FOISA

· failed to comply with the requirements of sections 10(1) and 21(1) of FOISA.

The Commissioner finds that NHS Greater Glasgow and Clyde was entitled to withhold personal data under section 38(1)(a) and (b) of FOISA.

Appeal

Should either Mrs Neilson or NHS Greater Glasgow and Clyde wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

Margaret Keyse
Head of Enforcement

6 January 2017

Appendix 1: Relevant statutory provisions

Freedom of Information (Scotland) Act 2002

1 General entitlement

(1) A person who requests information from a Scottish public authority which holds it is entitled to be given it by the authority.

(4) The information to be given by the authority is that held by it at the time the request is received, except that, subject to subsection (5), any amendment or deletion which would have been made, regardless of the receipt of the request, between that time and the time it gives the information may be made before the information is given.

2 Effect of exemptions

(1) To information which is exempt information by virtue of any provision of Part 2, section 1 applies only to the extent that -

(a) the provision does not confer absolute exemption; and

(2) For the purposes of paragraph (a) of subsection 1, the following provisions of Part 2 (and no others) are to be regarded as conferring absolute exemption -

(e) in subsection (1) of section 38 -

(ii) paragraph (b) where the first condition referred to in that paragraph is satisfied by virtue of subsection (2)(a)(i) or (b) of that section.

10 Time for compliance

(1) Subject to subsections (2) and (3), a Scottish public authority receiving a request which requires it to comply with section 1(1) must comply promptly; and in any event by not later than the twentieth working day after-

(a) in a case other than that mentioned in paragraph (b), the receipt by the authority of the request; or

21 Review by Scottish public authority

(1) Subject to subsection (2), a Scottish public authority receiving a requirement for review must (unless that requirement is withdrawn or is as mentioned in subsection (8)) comply promptly; and in any event by not later than the twentieth working day after receipt by it of the requirement.

(4) The authority may, as respects the request for information to which the requirement relates-

(a) confirm a decision complained of, with or without such modifications as it considers appropriate;

(b) substitute for any such decision a different decision; or

(c) reach a decision, where the complaint is that no decision had been reached.

(5) Within the time allowed by subsection (1) for complying with the requirement for review, the authority must give the applicant notice in writing of what it has done under subsection (4) and a statement of its reasons for so doing.

(10) A notice under subsection (5) or (9) must contain particulars about the rights of application to the Commissioner and of appeal conferred by sections 47(1) and 56.

38 Personal information

(1) Information is exempt information if it constitutes-

(a) personal data of which the applicant is the data subject;

(b) personal data and either the condition mentioned in subsection (2) (the "first condition") or that mentioned in subsection (3) (the "second condition") is satisfied;

(2) The first condition is-

(a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998 (c.29), that the disclosure of the information to a member of the public otherwise than under this Act would contravene-

(i) any of the data protection principles; or

(b) in any other case, that such disclosure would contravene any of the data protection principles if the exemptions in section 33A(1) of that Act (which relate to manual data held) were disregarded.

(5) In this section-

"the data protection principles" means the principles set out in Part I of Schedule 1 to that Act, as read subject to Part II of that Schedule and to section 27(1) of that Act;

"data subject" and "personal data" have the meanings respectively assigned to those terms by section 1(1) of that Act;

Data Protection Act 1998

1 Basic interpretative provisions

(1) In this Act, unless the context otherwise requires -

"personal data" means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

2 Sensitive personal data

In this Act "sensitive personal data" means personal data consisting of information as to-

(e) his physical or mental health or condition,

Schedule 1 - The data protection principles

Part I - The principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data

1. The data subject has given his consent to the processing.

...

6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data

1. The data subject has given his explicit consent to the processing of the personal data.

5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

[1] http://www.itspublicknowledge.info/Law/FOISA-EIRsGuidance/section38/Section38.asp

[2] http://www.publications.parliament.uk/pa/ld200708/ldjudgmt/jd080709/comm-1.htm